Sunday, April 24, 2011

During the last UT99 server IP change, my IPv6 tunnel with Hurricane Electric , which had been running fine since February, got fucked. One thing led to another and I never got around to fixing it until today. Once I fixed it I realized my IPv6 name resolution was not optimal and I fixed that, too. It was just a minor PowerDNS tweak to tell the recursor what address to do IPv6 name resolution on. Once that was done, I didn't have to depend on the special IPv4+6 SQUID proxy I had set up.

Why is it back now? If I had to guess I'd say it's because of the rise of the iPad, since from Day One mDNS was always an Apple Thing™.

What does mDNS do for you? Apple fanboys will always tell you that their MAC just works. In fact, if you ask them how it does that, they don't know, and they'll admit they don't know.

All they know, they'll say, is it just works.

And that is the sum total of their knowledge about MACs (ask one someday, s/he will gladly tell you).

Apparently they're not inquisitive enough to find out why. Or maybe they're just stoopit.

mDNS is one of those things that enable that particular feature. When a MAC fanboy walks into an environment that supports mDNS (not very common in the Windows world), all local devices are available. Need to print? Most printers, copiers, and fax combo device built in the last five years will be available because of mDNS. Want to listen to some music? You can hook up to a local user's iTunes and get in the groove.

All sorts of Good Shit will be available to you.

(NOTE: security wonks such as myself don't think this is necessarily a Good Thing)

When you combine mDNS with IPv6, like I did today, the future will be revealed to you.

Soon, your ISP will be giving you a shitzillion IPv6 addresses, more than you will ever need. Every device in your home will have its own IPv6 address and those devices will need to talk to each other and you. mDNS will help enable that communication.

While your devices are chatting, you still have to make sure that some IPv6 enabled samovar in East Fuckistan isn't attacking your Mr. Coffee in Cleveland, so you'll still need a firewall. But—and this is the best part—you'll be able to forget everything you ever didn't want to know about NAT, which has been forced on you because of that one crappy IPv4 address your ISP currently allows you.

Saturday, April 23, 2011

"PPLive has more than 200 million user installations and its active monthly user base (as of Dec 2010) is 104 million, i.e, PPLive has a 43% penetration of Chinese internet users. With its innovative user experiences, such as live chatting, and SNS, average viewing time per person per day has reach over 2 hours and 30 minutes, the highest stickiness among all China websites."

The Intro=========Anyone who has followed public proxy lists in the past year has noticed there are thousands of new open proxies listening on port 9415 listed every day. In the past year I have documented over 394,000 port 9415 proxies from these public lists. Geolocation of the IP addresses indicates they are widespread mostly in China but also in Taiwan, Macau, Hong Kong, and pockets of the US where Chinese is likely to be spoken.

I initially suspected some kind of malware. Finding nothing in Google (searching for 9415 will get you a lot of proxy lists), I eventually started searching Baidu. The results were immediate.

These proxies are built into the PPLiveVA client to retrieve an internal PAC (proxy autoconfiguration) file from the following URL:

http://localhost:9415/tudouva.pac

Replacing "localhost" with the IP of an active port 9415 proxy (if you can find one) will get you the PAC file, shown below:

Obviously, the proxy should be listening on 127.0.0.1 only, but in practice it listens on all interfaces.

The Outro=========It looks like there are 100 million open proxies in China, thanks to this software. Pick a Chinese IP address, scan for port 9415. You'll get one sooner or later. I don't consider this a 0day, since it's been going on for over a year. Responsible disclosure? meh. A little late for that.

Monday, April 11, 2011

If you bookmarked BOT House, BITCH House, et. al., in UT99 your bookmarks are now out of date.

This time it wasn't a power outage. It just had to be done.

Last week, I ragged on GoDaddy's DNS services (I didn't say one word about Bob Parsons shooting the elephant... not one word!). By early Saturday morning, between 1AM and 2AM they took away my ability to resolve my own DNS name through their servers. After banging my head on the wall for several hours over this issue, it became obvious from the responses I received from their DNS servers ("Query refused") that they had blocked my IP at their servers.

First it was one person, then multiple people. Then, horrified, I started seeing it in print. Here is the most recent offender.

The offensive fragment is "Man previous convicted...", which should read "previously convicted". I guarantee this is not a typo. This is how the author (and obviously his editor) speaks. Why he didn't go for the double whammy and drop the -ly in "allegedly strikes" is anyone's guess. Maybe because it didn't sound right? Maybe because it sounded bad enough already?

OK, here's another one, which you could conceivably (conveivable?) blame on Twitter's character limit, but this guy, whoever the fuck he is (I hate retweets), had 18 characters to spare...

Again, I guarantee this is how he speaks. Do I have to spell it out? It should be "absolutely love it".

I have been seeing "remote exploitable" for a long, long time and I just have to grit my teeth every freakin time it pops up and it pops up all the fucking time, mostly from a Certain Security Company That Will Remain Nameless.

I appreciate that the editor tried to correct this doofus, but I would have gone with (sic) instead of (sp).

This is a "salvage upgrade" of pieces/parts from my old—circa 2003—Windows XP box, which suffered a fatal hardware malfunction. The heatsink on the chipset sproinged off and cooked it, causing numerous spontaneous reboots. This is the second time in ten years this kind of heatsink failure has happened to one of my boxes. Otherwise, it was a pretty solid machine. But now it rests in pieces in Hinky's Hardware Graveyard. Caches to ashes, DOS to dust...

It had 3G, so I took the two matched 1G chips and moved them over. It seems to be running fine.